Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
254
Views
0
Helpful
1
Replies

Cannot create VPN with partner

Go to solution
RunningRoom
Level 1
Level 1

‎06-24-2015 01:33 PM

Our organization is in the process of upgrading the hardware we use for establishing a VPN connection with our partner.

 

The old hardware is a Cisco 2811(OldCore) router and the new one is a Cisco 4431(NewCore).

The partner uses a Sonicwall device at the other end for the vpn connection. The VPN between the OldCore and the Sonicwall device works fine. However, when we try to replace the OldCore with the NewCore, the VPN connection does not come up. I have checked the parameters and they are all the same for OldCore and NewCore. Partner says they do not have anything configured at their end that would cause this problem.

result of "sh cry isa sa" on NewCore says 

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
xx.xx.xx.xx yy.yy.yy.yy  MM_NO_STATE          0 ACTIVE
xx.xx.xx.xx yy.yy.yy.yy  MM_NO_STATE          0 ACTIVE (deleted)

 

When I disconnect NewCore and replace it with OldCore, the vpn connection comes back up without any issues.

 

One strange thing is that i can ping the public ip of the Partner's device form OldCore(public interface) but not from NewCore(public interface). However, I am able to ping the public ip of the partner device form the inside interface of NewCore.

Has anyone had this issue? how did you fix it?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Abaji Rawool
Level 3
Level 3

‎06-29-2015 01:23 AM

Hi,

You might want to review NAT configuration of the new core. Also you can run following debugs while trying bring up the tunnel from new core router by sending interesting traffic for the VPN.

 

debug cry cond peer ipv4 <peer ip>

debug cry isa

debug cry ips

when the debugs are collected type "undebug all"

HTH

Abaji.

 

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Abaji Rawool
Level 3
Level 3

‎06-29-2015 01:23 AM

Hi,

You might want to review NAT configuration of the new core. Also you can run following debugs while trying bring up the tunnel from new core router by sending interesting traffic for the VPN.

 

debug cry cond peer ipv4 <peer ip>

debug cry isa

debug cry ips

when the debugs are collected type "undebug all"

HTH

Abaji.

 

0 Helpful
Customers Also Viewed These Support Documents